Palo Alto Firewall Pre-Rule "Golden Rules"
This document is a result of the first phase of the Cybersecurity to the Edge (C2E) firewall administration project. This information is provided to UW-Madison campus Palo Alto network firewall administrators to understand the purpose and practice of the uneditable pre-rules, currently (with Pan-OS release version 9.1 and 9.0) identified as the "Golden Rules".
The thing all Palo Alto virtual firewall (vsys) administrators see when they access their firewalls, the thing that all VSYS rules have in common, is the campus' Panorama pushed pre-rules. The image of these, also known as the "golden rules," shown below. These rules are applied in a way that are enforced first before any rules set by the vsys administrators. Because of this they need to be applied carefully as to not have a negative impact on our University's mission while providing the best security protections.
These rules are editable by Division of Information of Technology (DoIT) employed firewall experts. They are edited based on practices and suggestions from the Network Firewall Advisory Group (NFWAG). Changes are processed, documented and approved through the DoIT change management process in the central DoIT ticketing system (Cherwell). The timing and content of any changes are then communicated to the DoIT Operations and UW-Madison Campus Firewall Administrators Microsoft Teams channels.
The rules currently contain allowances for campus access for DoIT provided services such as DNS, security vulnerability scanners, network management and monitoring tools, routing protocols, and restrictions to known bad and non-routable private IP addresses.
The pre-rules in their current configuration are implemented to fit the recommendations from the C2E documented Baseline Practices. They include:
- Global tags on every rule
- A description on each rule for the purpose of the rule
- Rule names should be easily understandable and descriptive
- Security Profiles applied where necessary
- Application IDs "app-id" set where applicable
- Restricting access to specified source and destination addresses, limiting the security footprint for allowed traffic rules
Please direct any questions or feedback regarding these pre-rules to firstname.lastname@example.org and it will be routed to the appropriate firewall expert.